Articulate.ppam file flagged as Malicious by

May 24, 2023

Richard Gailey
By Richard Gailey

Hi,

We had an alert today that was flagged by MCAS (Microsoft Defender for Cloud Apps) after a user was backing up some files for Potential Ransomware Activity.

The file that triggered the alert was Articulate.ppam.

The SHA-256 hash for the file is:

8ed8eb19b90571e70a6f38ef0b7db65eb7286e76207601f348525dc5568d5e58

Other hashes for this file are:


MD5: 47f15de946052aef1c2bdf90f8fdfc24
SHA-1: 5ff867f0f0def05f962ddba8ad746608e892c6b2
SHA-256: 8ed8eb19b90571e70a6f38ef0b7db65eb7286e76207601f348525dc5568d5e58
Vhash: 770dfcb76f5cf0b3f56a3ad3526bb2c2
SSDEEP: 12288:tAa0MrQGDMo0jn5xw8Qi67Kb/q80TH419gkCGcgGVMS/OsbAX6d3p:tTcGYvnnxQiIKb/q80zyzkH/Oj8
TLSH: T147C423D1ADF2F146CBEFADB908064C3212E04B7A2D1587D612E764FC441D6DB9E06CBA

When checking the file hash on VirusTotal it is flagged by 5 vendors as malicious.

Can you please let me know why a valid product is being flagged for this?

The file size is 531 KB but there is no version info for the file.

LabsInquest report on findings is here

Any insight in to this would be appreciated. Is this file present in the latest version of the Articulate Studio software?

Apologies if I am posting this in the incorrect thread.

Regards,

Richard

1 Reply
Eric Santos
12 months ago05/25/23 at 2:06 pm (UTC)

Hi Richard,

Thanks for reaching out and providing the details about the malware report! This is a false positive caused by Articulate Studio using Visual Basic for Applications (VBA) inside Microsoft Office.

If your IT team will allow you to add Articulate.ppam to your allowlist, that will also enable you to use Studio 360 if you're experiencing loading issues.

Let me know if you have questions!

Sign In to Reply